From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Wei Yongjun <weiyongjun1@huawei.com>,
Alexander Aring <aahringo@redhat.com>,
Stefan Schmidt <stefan@datenfreihafen.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 20/31] mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
Date: Mon, 12 Dec 2022 14:19:38 +0100 [thread overview]
Message-ID: <20221212130911.101560720@linuxfoundation.org> (raw)
In-Reply-To: <20221212130909.943483205@linuxfoundation.org>
From: Wei Yongjun <weiyongjun1@huawei.com>
[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ]
Kernel fault injection test reports null-ptr-deref as follows:
BUG: kernel NULL pointer dereference, address: 0000000000000008
RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
Call Trace:
<TASK>
raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
the list when device register/unregister, and may lead to null-ptr-deref.
Use INIT_LIST_HEAD() on it to initialize it correctly.
Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac802154/iface.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 06019dba4b10..9f2355cb6701 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -670,6 +670,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
sdata->dev = ndev;
sdata->wpan_dev.wpan_phy = local->hw.phy;
sdata->local = local;
+ INIT_LIST_HEAD(&sdata->wpan_dev.list);
/* setup type-dependent data */
ret = ieee802154_setup_sdata(sdata, type);
--
2.35.1
next prev parent reply other threads:[~2022-12-12 13:56 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-12 13:19 [PATCH 4.9 00/31] 4.9.336-rc1 review Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 01/31] arm: dts: rockchip: fix node name for hym8563 rtc Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 02/31] ARM: dts: rockchip: fix ir-receiver node names Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 03/31] ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 04/31] ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Greg Kroah-Hartman
2022-12-12 13:19 ` Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 05/31] ASoC: soc-pcm: Add NULL check in BE reparenting Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 06/31] xen/netback: Ensure protocol headers dont fall in the non-linear area Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 07/31] xen/netback: do some code cleanup Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 08/31] xen/netback: dont call kfree_skb() with interrupts disabled Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 09/31] rcutorture: Automatically create initrd directory Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 10/31] mmc: sdhci: use FIELD_GET for preset value bit masks Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 11/31] mmc: sdhci: Fix voltage switch delay Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 12/31] media: v4l2-dv-timings.c: fix too strict blanking sanity checks Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 13/31] HID: hid-lg4ff: Add check for empty lbuf Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 14/31] HID: core: fix shift-out-of-bounds in hid_report_raw_event Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 15/31] ieee802154: cc2520: Fix error return code in cc2520_hw_init() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 16/31] gpio: amd8111: Fix PCI device reference count leak Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 17/31] e1000e: Fix TX dispatch condition Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 18/31] igb: Allocate MSI-X vector when testing Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 19/31] Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Greg Kroah-Hartman
2022-12-12 13:19 ` Greg Kroah-Hartman [this message]
2022-12-12 13:19 ` [PATCH 4.9 21/31] net: encx24j600: Add parentheses to fix precedence Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 22/31] net: encx24j600: Fix invalid logic in reading of MISTAT register Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 23/31] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 24/31] NFC: nci: Bounds check struct nfc_target arrays Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 25/31] net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 26/31] net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 27/31] tipc: Fix potential OOB in tipc_link_proto_rcv() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 28/31] ethernet: aeroflex: fix potential skb leak in greth_init_rings() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 29/31] xen/netback: fix build warning Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 30/31] net: plip: dont call kfree_skb/dev_kfree_skb() under spin_lock_irq() Greg Kroah-Hartman
2022-12-12 13:19 ` [PATCH 4.9 31/31] net: mvneta: Fix an out of bounds check Greg Kroah-Hartman
2022-12-12 18:14 ` [PATCH 4.9 00/31] 4.9.336-rc1 review Pavel Machek
2022-12-12 20:11 ` Jon Hunter
2022-12-12 20:21 ` Slade Watkins
2022-12-12 20:34 ` Slade Watkins
2022-12-12 22:10 ` Florian Fainelli
2022-12-13 0:06 ` Shuah Khan
2022-12-13 0:23 ` Guenter Roeck
2022-12-13 12:09 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221212130911.101560720@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aahringo@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.